lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D9C3C7A.4525.6E37C2@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 10.03.2002
Apache 1.3.x shared memory scoreboard vulnerabilities

16:00 GMT, October 3, 2002


I. BACKGROUND

The Apache Software Foundation's HTTP Server is an effort to develop
and maintain an open-source HTTP server for modern operating systems
including Unix and Windows NT. The goal of this project is to provide
a secure, efficient and extensible server that provides HTTP services
in sync with the current HTTP standards.  More details about it are
available at http://httpd.apache.org .

II. DESCRIPTION

Apache HTTP Server contains a vulnerability in its shared memory
scoreboard. Attackers who can execute commands under the Apache UID
can either send a (SIGUSR1) signal to any process as root, in most
cases killing the process, or launch a local denial of service (DoS)
attack.

III. ANALYSIS

Exploitation requires execute permission under the Apache UID. This
can be obtained by any local user with a legitimate Apache scripting
resource (ie: PHP, Perl), exploiting a vulnerability in web-based
applications written in the above example languages, or through the
use of some other local/remote Apache exploit.

Once such a status is attained, the attacker can then attach to the
httpd daemon's 'scoreboard', which is stored in a shared memory
segment owned by Apache. The attacker can then cause a DoS condition
on the system by continuously filling the table with null values and
causing the server to spawn new children. 

The attacker also has the ability to send any process a SIGUSR1
signal as root. This is accomplished by continuously overwriting the
parent[].pid and parent[].last_rtime segments within the scoreboard
to the pid of the target process and a time in the past. When the
target pid receives the signal SIGUSR1, it will react according to
how it is designed to manage the signal. According to the man page
(man 7 signal), if the signal is un-handled then the default action
is to terminate:

     ...
     SIGUSR1 30,10,16 A User-defined signal 1
     ...
     The letters in the "Action" column have the following meanings:

     A Default action is to terminate the process.
     ...

iDEFENSE successfully terminated arbitrary processes, including those
that "kicked" people off the system.

IV. DETECTION

Apache HTTP Server 1.3.x, running on all applicable Unix platforms,
is affected.

V. VENDOR FIX/RESPONSE

Apache HTTP Server 1.3.27 fixes this problem. It should be available
on October 3 at http://www.apache.org/dist/httpd/ . 

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-0839 to this issue.

VII. DISCLOSURE TIMELINE

8/27/2002	Issue disclosed to iDEFENSE
9/18/2002	Vendor notified at security@...che.org
9/18/2002	iDEFENSE clients notified
9/19/2002	Response received from Mark J Cox (mark@....com)
10/3/2002	Coordinated public disclosure

VIII. CREDIT

zen-parse (zen-parse@....net) disclosed this issue to iDEFENSE.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. iALERT, our security intelligence service,
provides decision-makers, frontline security professionals and
network administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@...fense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr
CncduGV6EYHqVayQE90b7Yij
=4T8j
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ